Question & Answer
Question
How do you audit use or change operations on objects on the System?
Answer
According to the Security Reference manual, the IBM i operating system provides the ability to log accesses to an object in the security audit journal by using system values and the object auditing values for users and objects. This is called object auditing. This document describes how to turn on object auditing and analyze the results.
Chapter 9 of the Security Reference manual, documents the use of the CHGOBJAUD command.
Chapter 9 of the Security Reference manual, documents the use of the CHGOBJAUD command.
Steps
First, verify that the QAUDJRN journal exists and that you are tracking for Object Auditing operations *OBJAUD. Use the DSPSECAUD command and make sure the following settings are configured on your system:
Step 1:
Step 1:
Security journal QAUDJRN exists . . . . . : YES
Current QAUDCTL system value . . . . . . : *AUDLVL *OBJAUD *NOQTEMP
If not listed, use the CHGSECAUD command to add them to your system. The value *OBJAUD for the QAUDCTL system value is required to audit the use or change of objects.
Auditing for Use Operations on Objects.
Step 1. Turn on object auditing on the object:
CHGOBJAUD OBJ(V6CASTIL/PAYROLL) OBJTYPE(*FILE) OBJAUD(*ALL)
Note: For this example, we are turning on auditing on the file PAYROLL in library V6CASTIL, replace the object name, library and type on the object to be audited.
Analyzing the Results.
Method 1 for releases 7.3, 7.4, 7.5:
NOTE: This SQL sample uses the AUDIT_JOURNAL_ZR table function only available on Releases 7.3, 7.4 and 7.5. For older releases, use Method 2.
NOTE 2: The SQL table function is available with the following PTFs:
- R750: Base, Enhanced: SF99950 Level 3
- R740: SF99704 Level 13, Enhanced: SF99704 Level 23
- R730: SF99703 Level 24, Enhanced: SF99703 Level 26
Step 1: Using the Run SQL Scripts tool, run the following SQL Statement:
SELECT ENTRY_TIMESTAMP,
JOB_NAME,
JOB_USER,
JOB_NUMBER,
ENTRY_TYPE,
ENTRY_TYPE_DETAIL,
ACCESS_TYPE,
ACCESS_TYPE_DETAIL,
OBJECT_NAME,
LIBRARY_NAME,
OBJECT_TYPE,
MEMBER_NAME
FROM TABLE (
SYSTOOLS.AUDIT_JOURNAL_ZR(STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS)
)
WHERE OBJECT_NAME = 'PAYROLL'
NOTE: Adjust the Time and Date.
NOTE 2: Replace PAYROLL with the name of the object being audited. Use all uppercase letters for the name of the object.
Authorization: The caller must have:
- *USE authority to the audit journal and to all requested journal receivers, and
- *OBJEXIST authority to the audit journal
Method 2 for all releases:
Step 1:
Create a file with the contents of ZR (Object Use) Operations:
CPYAUDJRNE ENTTYP(ZR) OUTFILE(V6CASTIL/QAUDIT) JRNRCV(*CURCHAIN) FROMTIME(032323 070000) TOTIME(032323 090000)
NOTE: Adjust the Time and Date.
NOTE 2: Replace V6CASTIL with the name of the library where the file QAUDITZR is created.
Step 2:
Using the Run SQL Scripts tool, run the following SQL Statement:
SELECT ZRTSTP,
ZRJOB,
ZRUSER,
ZRNBR,
ZRTYP,
ZRONAM,
ZROLIB,
ZROTYP,
ZRACTP
FROM v6castil/qauditzr
WHERE ZRONAM = 'PAYROLL'
NOTE: Replace PAYROLL with the name of the object being audited. Use all uppercase letters for the name of the object.
NOTE 2: Change V6CASTIL with the name of the library used on Step 1.
Auditing for Change Operations on Objects.
Step 1. Turn on object auditing on the command:
CHGOBJAUD OBJ(V6CASTIL/CREDITCARD) OBJTYPE(*FILE) OBJAUD(*CHANGE)
Note: For this example, we are turning on auditing on the file CREDITCARD in library V6CASTIL, replace the object name, library and type on the objects to be audited.
Analyzing the Results.
Method 1 for releases 7.3, 7.4, 7.5:
NOTE: This SQL sample uses the AUDIT_JOURNAL_ZC table function only available on Releases 7.3, 7.4 and 7.5. For older releases, use Method 2.
NOTE 2: The SQL table function is available with the following PTFs:
- R750: Base, Enhanced: SF99950 Level 3
- R740: SF99704 Level 13, Enhanced: SF99704 Level 23
- R730: SF99703 Level 24, Enhanced: SF99703 Level 26
Step 1: Using the Run SQL Scripts tool, run the following SQL Statement:
SELECT ENTRY_TIMESTAMP,
JOB_NAME,
JOB_USER,
JOB_NUMBER,
ENTRY_TYPE,
ENTRY_TYPE_DETAIL,
ACCESS_TYPE,
ACCESS_TYPE_DETAIL,
OBJECT_NAME,
LIBRARY_NAME,
OBJECT_TYPE,
MEMBER_NAME
FROM TABLE (
SYSTOOLS.AUDIT_JOURNAL_ZC (STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS)
)
WHERE OBJECT_NAME = 'CREDITCARD'
NOTE: Adjust the Time and Date.
NOTE 2: Replace CREDITCARD with the name of the object being audited. Use all Upper Case letters for the name of the object.
Authorization: The caller must have:
- *USE authority to the audit journal and to all requested journal receivers, and
- *OBJEXIST authority to the audit journal
Method 2 for all releases:
Step 1:
Create a file with the contents of ZC (Object Change) Operations:
CPYAUDJRNE ENTTYP(ZC) OUTFILE(V6CASTIL/QAUDIT) JRNRCV(*CURCHAIN) FROMTIME(032323 070000) TOTIME(032323 090000)
NOTE: Adjust the Time and Date.
NOTE 2: Replace V6CASTIL with the name of the library where the file QAUDITZC is created.
Step 2:
Using the Run SQL Scripts tool, run the following SQL Statement:
SELECT ZCTSTP,
ZCJOB,
ZCUSER,
ZCNBR,
ZCONAM,
ZCOLIB,
ZCOTYP,
ZCACTP
FROM v6castil/qauditzc
WHERE ZCONAM = 'CREDITCARD'
NOTE: Replace CREDITCARD with the name of the object being audited. Use all uppercase letters for the name of the object.
NOTE 2: Change V6CASTIL with the name of the library used on Step 1.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"TS012518509","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0;7.3.0;7.4.0;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
19 February 2024
UID
ibm16965734